Introduction

Today, SSH (Secure SHell) is maybe the most used protocol in the world when you talk about remote servers administration. But, is there is so many misconfigured SSH servers, allowing attackers to get a shell on Linux machines.

So, this post aimed to give some tips to secure your SSH services.

The default port you will not use !

On fresh install, SSH use tcp default port 22.

So, one tip, that will not assure you not to get attacked, is to change the default port by something on a higher ranger. When attackers are doing port scanning, they sometimes do the quickest scan they have, and scan a little port range. That is why it is recommended to change the default port by an high port.

For example, you can change the 22 by 50022.

When connecting to your ssh server, you will need to specify the port. For example :

ssh -p 50022 username@remote_ip

The key is the key !

A lot of servers are accessible through password authentication. You can set a complex password, with specials char and numbers to enforce security.

BUT, a way to secure your SSH installation is to disable Password authentication once you are done with configuring your server.

First step : copying

First of all, copy your public key on remote server with the following command :

ssh-copy-id username@remote_ip

The shell will prompt you the remote user password, and then tell you that the next time you will log into your server, no password will be needed.

Second step : hardening

Now, it is time to change some parameters on our servers.

You can edit your /etc/ssh/sshd_config file with the following :

PubKeyAuthentication yes
PasswordAuthentication no

Now, you can restart your ssh service and voila!

Disable root login

Sometimes (maybe too many times), people allow root remote connection.

If password auth is allowed, it is frequent that the root password is weak, and a simple bruteforce allow an attacker to get a root shell on the server.

So, disable root login !

You can change to the following :

PermitRootLogin no

There is no try…

Before using tools like Fail2ban (which is a good one), you can do a native correction, that will prevent maximum auth tries to a certain number and prevent from bruteforce.

In your /etc/ssh/sshd_config file change the following :

MaxAuthTries 3

This will set the maximum authentication tries to 3 times.

Bonus

You can dig deeper, and create firewalling rules to harden your setup.

Conclusion

This post was not really technical, but can give some easy tips to harden your ssh server and prevent unwanted users on your servers.